Overview
- Theori’s public disclosure on Wednesday, April 29, shipped a 732‑byte Python exploit that they say works across Linux releases built since 2017.
- The flaw, tracked as CVE‑2026‑31431, stems from a logic error in the kernel’s authencesn crypto path that lets any user write four chosen bytes into a file’s in‑memory page cache and then run a setuid binary as root.
- An upstream fix that reverts the risky 2017 in‑place optimization is in mainline, and Debian, Ubuntu, SUSE, Red Hat and others are rolling out patched kernels; teams are advised to disable the algif_aead module or block AF_ALG sockets until updates are installed.
- The risk is highest on multi‑tenant hosts, Kubernetes nodes, and CI runners because all processes share the page cache, a concern Together AI addressed by turning off algif_aead across its fleet within hours.
- Because the edit happens only in memory, common file‑integrity tools may miss it; the bug was found using Theori’s AI code auditor Xint Code and is rated High severity (CVSS 7.8), underscoring faster discovery of deep kernel issues.